DNS DHCP IPAM

Reply

Tip: How to publish public NS IP addresses rather than auto-generated internal IPs

Expert
Posts: 169
701     0

So here's another one I helped a customer with recently, they had their grid configured with internal public IP's but some of the name servers were hosting public facing zones. The firewall was NATting incoming queries from various public IP addresses to the private addresses so that inbound queries could be resolved from the Internet.

 

The problem was that the NS records that were being included in the "authority" and "additional info" section of the DNS reply included these private IP addresses, which obviously were unreachable from the Internet.

 

The customer was struggling because Infoblox auto-generates the IP addresses of the name servers based on what IP addresses are configured in the grid. So they were trying to do things with stealth records and manually adding NS and public A records but private addresses were still leaking out in the DNS replies.

 

The solution is actually quite simple, but it's quite difficult to find in the GUI (if you are new to Infoblox you will find the GUI a bit of a challenge - who knew that DNS could be so complicated! :-) ). Here's what I did:

 

Go to Data Management->DNS->Members and highlight one of the name servers and click edit. Now select "DNS Views" and you will see "Address of Member Used in DNS Views" is set to the private IP address that is used in the grid. Click "Interface IP Address" and you'll see it changes to a drop-down, select "Other IP Address" and now you can enter the public IP address of this name server.

 

When you go back to the zone and look at the NS and glue records, you will now see that the auto-generated glue record has been updated with the public IP address. Simply repeat for any other grid members you need to do this for.

 

Needless to say the customer was very happy when we ran through this. I wanted to publish this here so hopefully this info gets indexed by google.

 

Cheers,

 

Paul

 

 

 

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Tip: How to publish public NS IP addresses rather than auto-generated internal IPs

norgan-tafe
Techie
Posts: 1
701     0

Thats great but how do you get the name changed? they want to report back their internal server names as name servers but we want them to return public values but when i change the grid members name it conflicts with our internal view with the split dns zone.

Re: Tip: How to publish public NS IP addresses rather than auto-generated internal IPs

[ Edited ]
Adviser
Posts: 70
701     0

Hi,

 

From what I understand, your requirement is that when queried from a source matching the external view, the ns records for a zone should show custom names and IP addresses rather than the interface IP addresses and the member names. The method mentioned above can advertise external IPs but not the external names.

Here is a workaround that may meet your requirement. However, I must mention that the workaround may be less than ideal.

    Edit the zone and go to nameserver settings.
    Edit all the grid name servers and make them 'stealth'.
    Add new nameserver entries as external nameservers with the names and IP addresses that you want. These can be the external IP addresses of your appliances. However, the IP addresses must not be used on any members in any configuration on the grid( such as in DNS view settings or NAT address settings of the member).
    Go to 'settings' in the zone editor.
    Change the 'MNAME' field to match the value that you require.
    Save the changes.


Below is the DNS configuration file section showing the zone.

 

    zone "infoblox.com" in { # infoblox.com
    type master;
    database infoblox_zdb;
    masterfile-format raw;
    file "azd/db.infoblox.com.32";
    allow-update { key DHCP_UPDATER32; any;  };
    allow-transfer { 67.67.67.67; 77.77.77.77; };
    also-notify { 10.192.32.191; 10.192.32.124; };
    notify yes;
    infoblox-last-queried-zone yes;
    };
};


Below are the actual name servers for the zone.

 

gridmaster.shiftlead.infoblox.com    10.192.32.240
Grid Primary
Stealth: Yes
   
mssync.shiftlead.infoblox.com    10.192.32.191
Grid Secondary
Stealth Yes

ns1.infoblox.com    67.67.67.67
Ext Secondary
Stealth No    
 
ns2.infoblox.com    77.77.77.77
Ext Secondary
Stealth No

rpz.shiftlead.infoblox.com    10.192.32.124
Grid Secondary
Stealth Yes
 
 

Below are query outputs for the zone.


[srenjith@sup-sc-03 ~]$ dig @10.192.32.240 infoblox.com ns

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.3 <<>> @10.192.32.240 infoblox.com ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1983
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;infoblox.com.                  IN      NS

;; ANSWER SECTION:
infoblox.com.           28800   IN      NS      ns1.infoblox.com.
infoblox.com.           28800   IN      NS      ns2.infoblox.com.

;; ADDITIONAL SECTION:
ns2.infoblox.com.       28800   IN      A       77.77.77.77
ns1.infoblox.com.       28800   IN      A       67.67.67.67

;; Query time: 244 msec
;; SERVER: 10.192.32.240#53(10.192.32.240)
;; WHEN: Wed Aug 16 00:46:46 PDT 2017
;; MSG SIZE  rcvd: 109

 

[srenjith@sup-sc-03 ~]$ dig @10.192.32.240 infoblox.com soa

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.3 <<>> @10.192.32.240 infoblox.com soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31224
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;infoblox.com.                  IN      SOA

;; ANSWER SECTION:
infoblox.com.           28800   IN      SOA     ns1.infoblox.com. please_set_email.absolutely.nowhere. 5 14400 3600 2419200 900

;; AUTHORITY SECTION:
infoblox.com.           28800   IN      NS      ns2.infoblox.com.
infoblox.com.           28800   IN      NS      ns1.infoblox.com.

;; ADDITIONAL SECTION:
ns2.infoblox.com.       28800   IN      A       77.77.77.77
ns1.infoblox.com.       28800   IN      A       67.67.67.67

;; Query time: 243 msec
;; SERVER: 10.192.32.240#53(10.192.32.240)
;; WHEN: Wed Aug 16 00:57:38 PDT 2017
;; MSG SIZE  rcvd: 180

 

 

Hope this helps.

Regards,

Sandeep

Re: Tip: How to publish public NS IP addresses rather than auto-generated internal IPs

mbuster25
Techie
Posts: 2
701     0

Hi Paul:

 

I'm new to Infoblox and getting my feet wet. 

I think i am running into a similar situation to which your TIP would solve. 

I have a netscaler load balancer (NAT with a public IP)  that is load balancing across two grid nameservers that are using private IPs (not public facing).   The idea is to pass all traffic through the Netscaler.   When i added the nameservers to the zone, they were serving out queries for the zone seem to work fine, and the only problem i saw was if using any number of online DNS query checks against the zone/domain it would find the nameservers and display the private IPs. 

 

I had thought maybe putting into "stealth" would be an option?

 

Could i use your tip below and assign the same NATted public IP to both of the namservers as the IP to use, instead of their unique private IP?

 

THANKS

   

Re: Tip: How to publish public NS IP addresses rather than auto-generated internal IPs

Adviser
Posts: 77
701     0

Hello,

 

 

I’ll put this across to you in this way, so that it’ll be easier.

 

 

Say for example :

 

  • Your zone is ‘myzone.com’.

 

  • Name/IP address of the load balancer :    ns.loadbalancer.com/213.22.3.4  (NAT IP)

 

  • Authoritative name servers for ‘myzone.com’ (Internal members) :

 

         ns1.internal.com/10.192.32.240  (Private IP address)

         ns2.internal.com/10.192.33.192  (Private IP address)

 

 

As per the expected behaviour, when someone from the internet queries for the name server records of ‘myzone.com’, it would return :

 

 

Answer section -

 

  • ns1.internal.com/ns2.internal.com as the NS records

 

Additional section –

 

  • ns1.internal.com with IP address 10.192.32.240

 

  • ns2.internal.com with IP address 10.192.33.192

 

 

So now questions :

 

 

I’ll put your requirements as 2 options :

 

 

A) The response for the names server query to ‘myzone.com’ should be :

 

 

 

Answer section -

 

  • ns1.internal.com as the NS record.

 

Additional section –

 

  • ns1.internal.com with IP address 213.22.3.4.

 

 

OR

  

 

 

B) The response be like :

 

 

Answer section -

 

  • ns.loadbalancer.com as the NS record.

 

Additional section –

 

  • ns.loadbalancer.com with IP address 213.22.3.4.

 

 

Solution :

 

 

  • If your requirement is option A, then you may go for the steps as suggested by Paul. Section “Changing the Interface IP Address” from chapter “DNS Views” of the NIOS administrator guide would help you with this.

 

 

  • In case if you are looking for the output as in option B, you may go for the steps suggested by Sandeep. Section “Specifying External Secondaries” from chapter “Configuring DNS Zones” would help you with this part. To change the MNAME, refer “Configuring Authoritative Zone Properties” from  the same chapter. Your idea of configuring the name servers in stealth mode is correct, but NIOS won’t accept the configuration unless there is one non-stealth name server listed in ‘Name servers’ section of zone properties(This step is part of the solution suggested by Sandeep).

 

 

Please feel free to let us know if you have questions.

 

 

 

Regards,

Mohammed Alman.

Re: Tip: How to publish public NS IP addresses rather than auto-generated internal IPs

mbuster25
Techie
Posts: 2
701     0

Hi malman, 

 

thank you so much for the response.  and i like that you gave me options Smiley Happy

 

in option1:

 

  Can assign both nameservers in the view to the ns public IP, and it would return 

  • ns1.internal.com with IP address 213.22.3.4.
  • ns2.internal.com with IP address 213.22.3.4.

as well as update .com with nameserver

 

   ns.loadbalancer.com 213.22.3.4 

 

and not configure anything else with infoblox?

 

In this way the ns1,ns2, ns.loadbalancer.com would all be returned the same IP and we need not even inform Infoblox that the netscaler is front ending it.

 

thanks for the tip on the stealth - having to have one non-stealth makes sense.

 

Re: Tip: How to publish public NS IP addresses rather than auto-generated internal IPs

Adviser
Posts: 77
701     0

Hello,

 

Yes. You can assign the same IP address of the load balancer as ‘Interface IP Address’ -> ‘other IP address’, from the member DNS  properties of both internal name servers(Respective DNS view).

 

Further, you may add the Netscaler name/IP at the registrar & I believe your expectation should be fulfilled. The reason being that in either cases, the destination IP address is the public IP of Netscaler. As long as Netscaler is able to process the incoming DNS requests for this zone at its port 53, there shouldn’t be a problem.

 

You may always feel free to engage Infoblox support, in case if there is a problem or may post your reply here so that we could address them for you.

 

Best regards,

Mohammed Alman.

Re: Tip: How to publish public NS IP addresses rather than auto-generated internal IPs

Azhar7
Techie
Posts: 1
701     0

Currently our authoritative DNS servers (ns1, ns2, and ns3) publish internal IP addresses to the open internet. 

I need to have our DNS servers modified such that internal 10.x.x.x IP's are not published to the open internet.

Highlighted

Re: Tip: How to publish public NS IP addresses rather than auto-generated internal IPs

TTiscareno Community Manager
Community Manager
Posts: 242
701     0

This is a rather old thread. For future reference, please be sure to start a new thread so that you are more likely to see a response.

 

For your question here, refer to the section titled "Changing the Interface IP Address" under "Managing the DNS Views of a Grid Member" in the DNS Views chapter in the NIOS Administrator Guide.

 

The NIOS Administrator Guide is available through the Tech Docs section in the Infoblox Support portal (https://support.infoblox.com/), or through the Help panel in your Infoblox GUI.

 

Regards,

Tony


@Azhar7 wrote:

Currently our authoritative DNS servers (ns1, ns2, and ns3) publish internal IP addresses to the open internet. 

I need to have our DNS servers modified such that internal 10.x.x.x IP's are not published to the open internet.


 

Re: Tip: How to publish public NS IP addresses rather than auto-generated internal IPs

Expert
Posts: 169
702     0
Please read the first post in this thread for the solution.
Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Showing results for 
Search instead for 
Do you mean 

Recommended for You